OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [UC-1-04:ARundgrenPush]


I completely concur with your opinion on this issue.  We do have a clear
process to follow.

We (Anders?) should write up a concrete use case, called something like
"negotiate trust relationship between partners".  We should then discuss on
the mailing list/concalls to make sure the use case is described enough for
us to vote on.  We should then vote on the use-case.  My early prediction is
that the use case will not pass muster - certainly a lot would have to be
done to convince me to vote for it - but we will have followed the process
and we will have useful artifacts for future work.


> -----Original Message-----
> From: Evan Prodromou [mailto:evan@outlook.net]
> Sent: Monday, February 12, 2001 2:27 PM
> To: S2ML-USE
> Subject: Re: [UC-1-04:ARundgrenPush]
> >>>>> "HL" == Hal Lockhart <hal.lockhart@entegrity.com> writes:
>     >> You also lack a business case.  Why do you need a particular
>     >> business case when we are talking about extending the access
>     >> system of practially all computer systems (but with arbitrary
>     >> granularity and semantics) to function over the web between
>     >> different, independent and constantly changing organizations as
>     >> well?  IMO that's *hell* of a use case!  If it is a hell to
>     >> design I am not yet able to tell.
> I'm replying to the wrong message, so, sorry.
> But I think Anders has gotten to the kernel of this issue. I think for
> most of us with experience with AuthXML or S2ML, we've dealt from the
> get-go with expecting peer security systems to have arranged their
> partnership out-of-band. In other words, there are configuration
> options on each piece of software that say what data is sent as
> credentials, what profile information to share, what keys belong to
> what security system, etc.
> We explicitly have this called out in the current doc, saying that
> "trust negotiations must be made out-of-band." I agree with Anders
> that there's a momentous opportunity in dropping this non-goal and
> allowing the trust relationship to be negotiated IN-band ("Who are
> you? Who says that's you? What do you want?").
> However, I am extremely leery of this expansion of scope. I wonder if
> there's an opportunity here to stow away this use case and use it for
> a next version of [OSSML] or for even another effort of this
> TC. Something that operates well with what we do, but not part of this
> current effort.
> ~ESP

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC